Improving the health of NHS app security

In this article, Dan Lyon or Cigital takes a deeper look into the cybersecurity issues surrounding the vulnerability of apps used on a daily basis in healthcare environments and discusses how organisations such as the NHS can ensure data remains secure while still providing patients and medical professionals with secure, connected access to digitised services

Advancements in technology will drive significant changes in the way health services are delivered.

Hospitals and their technologies are being increasingly targeted due to the rich amount of data they have in their possession and there have been reports of cyber security flaws in hospital systems

Earlier this year, the Government announced an £4.2billion investment in NHS technology. DigitalHealth.London has even recently launched a new accelerator programme designed to help SMEs develop digital healthcare systems and technologies, and offering the opportunity to showcase this technology to the NHS.

But how will this affect cybersecurity in the NHS?

Hospitals and their technologies are being increasingly targeted due to the rich amount of data they have in their possession and there have been reports of cyber security flaws in hospital systems.

Two important security concerns arise with new medical technology, and healthcare technology firms are not well suited to tackle them. First is patient data security. With so much free flow of information, medical data can be harnessed in novel ways to identify treatments, diseases, and trends in healthcare. The industry, however, has few controls on how medical data moves around.

Secondly, technology must be reliable enough that lives are not at risk. The slapdash world of the Internet of Things (IoT) is incompatible with the kind of rigor and reliability needed in medical technology.

Users think little of security when downloading apps and sharing personal information. They are also given little or no guidance on the risks and rewards of using medical apps or sharing medical data.

In medicine we talk about ‘informed consent’, where doctors and patients collaborate to weigh the risk and benefits of treatment. In technology, neither doctors nor patients have sufficient knowledge to make informed choices about installing apps, sharing data, or trusting technology.

When it comes to evaluating the security of a technology – for example a mobile app or a technological diagnostic tool - medical professionals have no greater insight into the privacy and security than the rest of us.

Security in a mobile world

According to a recent Skycure report, 80% of doctors use their mobile devices to assist in their day-to-day practice, with 28% storing patient information on these devices. Subsequently, a study into the data security of NHS apps revealed that many leak private data about doctors and patients, with many also failing to encrypt patient information before it is sent over the internet.

The slapdash world of the Internet of Things is incompatible with the kind of rigor and reliability needed in medical technology

Providers of healthcare apps make claims about software security; but doctors, administrators, and healthcare facilities often lack the knowledge and resources to evaluate the claims that manufacturers make.

According to a report from Arxan Technologies, 80% of apps formerly approved by the NHS were vulnerable to at least two of the Open Web Application Security Project (OWASP) top 10 mobile risks. Research has also shown that, even without experiencing cyberattacks on their apps, around 80% of health app users would change providers if their apps were known to be vulnerable.

Interestingly, more than 75% of mobile health app providers also believed users would change providers if they knew their apps were insecure, or if a similar provider offered a more-secure version. Patients and healthcare professionals are not in a position to evaluate apps and technologies directly, though, so there is little chance they will actually change.

Insecure technology

In May 2016, antivirus technology interrupted a blood monitoring workstation during a patient procedure. Luckily no-one was harmed, but technology must be robust when patient lives are at stake. Consumer technology for buying merchandise and sharing photos can rapidly evolve and have weekly bug fixes and patches. Technology in the medical industry must be substantially more tested and cannot sustain unpredictable, rapid evolution that might work in other industries.

So what can the NHS and mobile app providers do?

There are ways in which the NHS and mobile app providers can work together to provide secure app environments for their users. These include:

Aim for a level of security higher than required by regulatory bodies: Regulatory bodies often lag the cutting edge of technology. The healthcare industry needs to view compliance with regulatory security recommendations or rules as necessary, but not sufficient

Evaluate security claims sceptically: App makers and technology companies will make vague claims like ‘we use industry-leading cryptography’ and will exaggerate the importance of encryption. Those professionals responsible for assessing the security of systems need to take vague claims with a grain of salt. The OWASP Mobile Top Ten is a good framework to help someone sceptically evaluate security claims

The future of healthcare is no doubt digital, but in order for it to be secure, robust mobile app security is not only a wise technology process and investment, but also a smart business one

Transparent security: Technology makers need to explain the security in language that is thorough, unambiguous and factual. Providing this kind of transparency will enable the consumers to identify where additional controls may be necessary

Align budget with risks: Many organisations neglect to allocate any budget to mobile security, but spending should be proportionately allocated based on where there is risk

The future of healthcare is no doubt digital, but in order for it to be secure, robust mobile app security is not only a wise technology process and investment, but also a smart business one.